DISA Prototypes Eliminate Cyber Threats Daily
The Internet isolation program prepares for the next phase.
The Defense Information Systems Agency (DISA) Cloud Based Internet Isolation prototyping effort is already eliminating cyber threats every day, says Angela Landress, who manages the program commonly known as CBII.
The program uses a little technological sleight of hand to keep non-secure Internet browsing in the secure Amazon Web Services (AWS) cloud rather than on the Department of Defense Information Network (DODIN). “What comes back from the cloud is actually just a video-like representation of the webpage. There’s nothing executable in it,” Landress explains.
When users connect to any website, what they actually see is a replica of that website hosted in Amazon’s cloud. They still access the same content and interact in the same way, except that the defense network is isolated from those websites. DISA officials publicly unveiled the program in May at the AFCEA TechNet Cyber 2019 Conference.
The prototype effort began in March 2018. DISA officials have awarded two transaction authority contracts to By Light Professional IT Services and to Sealing Technologies to develop prototypes. Those prototypical systems have been shared equally among 10 mission partners, including all four military services, U.S. Central Command, U.S. Special Operations Command and various defense agencies.
“Cloud Based Internet Isolation is an initiative to take the browsing off of the endpoint, and actually off of the DOD Information Network completely and put it in a secure vendor cloud environment. By doing that, all browsing content gets stripped of anything malicious that a user could accidentally execute onto their endpoint. You’re really removing the threat completely,” Landress says.
Pressed on whether the threat can ever really be completely eliminated, the program manager doubles down. “My belief is that we can eliminate the threat from the DODIN of unclassified browsing traffic by moving that to a different space. It completely eliminates third party plug-ins, like Flash. So, vulnerabilities that exist on those plug-ins are no longer a threat to us,” she says.
She reports that the prototypes already are working well and getting great reviews from the mission partner organizations. “We’re able to stop threats on a daily basis,” Landress says. “The traffic you’re really worried about is the inbound traffic. That’s the stuff that can be really malicious.”
She clarifies that the threat is not technically eliminated, but it is isolated away from the Defense Department’s network. “My opinion is we’re not getting rid of the threat. We’re just moving it away from our assets. If there is a threat, it gets exploited in the vendor space, and their servers get compromised, not ours. There’s no code coming back to the user, so anything that gets executed, gets detonated in this cloud environment.”
Users, she adds, see no difference except that one system includes a DISA logo, the other a thin green line at the top of the page, both of which indicate to users they are accessing their content through a secure cloud. “The user sees no difference, and they’re still able to interact with the website, but they’re actually interacting with these servers in the AWS cloud, rather than our servers here in the DODIN.”
In addition to improving security, the Internet isolation technology improves performance. For example, it decreases the amount of bandwidth needed and the amount of time it takes for webpages to load. “We’ve been able to decrease the bandwidth already with just the users we have on, and we’ve been able to decrease latency significantly,” Landress reveals. “The bandwidth I can quantify to a 20 percent decrease, the latency to … under 100 milliseconds.”
The efficiencies come from a number of bandwidth optimization tools. For example, if a user has more than one tab open, those tabs not in use will be given lower priority so that “all that bandwidth isn’t streaming.” When a user is streaming a video, for instance, and then moves on to a new tab, the first tab will only stream the audio and “downgrade the video to a degree that it’s almost asleep.”
Furthermore, DISA servers no longer have to host an array network inspection tools, such as web content filtering software, because the traffic is inspected in the AWS cloud.
Landress says that both systems were already mature for industry partners, such as those in the banking industry, but they needed to be tailored specifically for the Defense Department. Improvements include enhanced mobile capabilities.
DISA expects to select one vendor in the spring and to roll out the technology in three phases, largely by sharing it with more users within the mission partner organizations. The first phase will extend the prototype to more than one million users sometime in fiscal year 2021.
The final vendor will be chosen based on performance, but picking a winner may not be easy. “They’re very similar,” Landress says.